It can't have escaped your attention that security experts have declared open season on Apple products over the last few weeks. At San Francisco's RSA conference, an even more terrifying exploit has been revealed that has the power to send your iPhone or iPad into a perpetual restart loop. Mobile security firm Skycure has discovered that iOS 8 has an innate vulnerability to SSL certificates that, when combined with another WiFi exploit, gives malicious types the ability to create "no iOS zones" that can render your smartphones and tablets unusable. Before you read on, grab a roll of tinfoil and start making a new case for your iPhone.

Folks buy the highly secure Blackphone handset for the warm and fuzzy feeling that nobody can see their stuff, but that trust was misplaced until recently, according to security expert Mark Dowd. He found a vulnerability in the text message application of the phone that let attackers steal messages, contacts and location info, and even execute malicious code to gain full control. All a bad guy needed to know was the device's "SilentCircle" account info or phone number.

A day after Google publicized a flaw in Windows 8.1 before Microsoft could do anything about it, news broke about a security vulnerability in Android that the Mountain View company, well, won't fix at all. Rafay Baloch, an independent researcher, and Joe Vennix, an engineer at Rapid7 (a security and data analytics firm) found a serious bug in the WebView component of Android 4.3 and below. It's an older bit of software that lets apps view webpages without launching a separate app, and the bug in question potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users -- that's close to a billion people -- still use Android 4.3 or lower, it still affects a lot of people. Unfortunately, as Tod Beardsley, a Rapid7 analyst, found out, there's no easy way for Google to fix it.

When the world's biggest technology companies start playing rough with each other, it's normally consumers who wind up suffering. This time out, it's Windows users who are feeling the pain after Google publicly posted the details of a Windows 8.1 flaw before Microsoft could fix it. In a public response to the disclosure, Microsoft's security chief Chris Betz says that Google's decision to publish and be damned before his company's scheduled patch was less about "principles" and more about getting one over on its rival.

Did your Twitter app suddenly give you the boot or otherwise behave strangely? It's not just you. The social network has confirmed a sign-in problem that's kicking out hordes of users (so far, mostly on Android) and preventing them from logging back in. Also, TweetDeck on the desktop is listing every new tweet as a year old. We've reached out to the company for more details, but it's possible that there's a date-related flaw at work -- a coder who intercepted the Android app's login traffic, Ninji, has noticed that the company's servers believe it's already 2015. Twitter has engineers tackling the issue, so sit tight if you want to tweet through your favorite apps.

A critical security issue in the network time protocol (NTP) has prompted Apple to push an automatic OS X update to users for the first time. Google researchers discovered the flaw which could allow a remote attacker to "send a carefully crafted packet that can overflow a stack buffer and allow malicious code to be executed." NTP is a common protocol that's been successfully hacked before, so the security hole could result in remote DDoS attacks on many UNIX-based systems, including Linux servers and OS X. The US government deemed it serious enough to flag it, and at first Apple advised users of Yosemite, Mountain Lion and Mavericks to update "as soon as possible." However, several years ago it introduced an automatic OS X update system that requires no user action, and decided to deploy it for the first time ever. An Apple spokesman told Reuters "the update is seamless. It doesn't even require a restart."

Update: Patrick Nielsen, Senior Security Researcher at Kaspersky told us the vulnerability is quite widespread. "The software is installed on everything from consumer gadgets to critical infrastructure; it's possible to execute malicious code on both servers and clients, a dream situation for worms which can spread very quickly by compromising servers and then all their clients," he said. What's more, many firewalls don't block attacks against NTP servers, especially in corporate networks.

Yet another critical security flaw has been found for Adobe's notoriouslysieve-like Flash plug-in, this time by Google Engineer Michele Spagnuolo. His exploit tool, called "Rosetta Flash" is just a proof of concept, but could allow hackers to steal your cookies and other data using malicious Flash .SWF files. The exploit is well known in the security community, but had been left unfixed until now as nobody had found a way to harness it for evil. So how does this affect you? Many companies like Twitter, Microsoft, Google and Instagram have already patched their sites, but beware of others that may still be vulnerable. Adobe now has a fix, and if you use Chrome or Internet Explorer 10 or 11, your browser should automatically update soon with the latest versions of Flash, 14.0.0.145 (check your version here). However, if you have a browser like Firefox, you may want to grab the latest Flash version from Adobe directly (watch out for unwanted add-ons with pre-checked boxes). Finally, if you use apps like Tweetdeck or Pandora, you'll need to update Adobe AIR -- that should happen automatically, but the latest version is 14.0.0.137 for Windows, Mac and Android.

If you've shared a Dropbox document recently, but your intended recipients are complaining that the link is bust, then here's the likely reason: The cloud storage service has been forced to sever many shared links after realizing, perhaps a bit late in the day, that they contained an inherent security flaw that could potentially expose documents to the wrong people. Specifically, an authorized user who opens a shared document and clicks on any hyperlink within its text could unwittingly expose the entirety of that document to the webmaster of the hyperlinked site.

The recent Heartbleed scare caused a huge stir, even though it was effectively fixed before it even happened. There are other sorts of security holes, however, which can't be plugged so readily, and which affected companies therefore have less incentive to publicize. A researcher in Singapore, Wang Jing, claims to have uncovered a potentially serious example of this involving the widely-used login services OAuth and OpenID. He says that he's tried to alert major web services that rely on these platforms, including Facebook, Microsoft and Google, but they're refusing to take responsibility for the issue.

The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds.

Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out.

Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictoryclaims about the agency's activities, but hey -- at least it's on top of the situation.

Read our Heartbleed defense primer? Good, but the fight for your privacy isn't over just yet: you might have to replace your router, too. Cisco Systems and Juniper Networks have announced that the Heartbleed bug -- a flaw in OpenSSL that lets attackers bypass common security protocols -- has been found in their networking products. This news isn't too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don't use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices. You can find those lists here, here (for Juniper Networks) and here (for Cisco Systems). If one of your devices is listed, sit tight and watch for updates; both companies say they're working on patches.

Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.

Most internet security holes, even the bigger ones, tend to be fairly limited in scope -- there are only so many people using the wrong software or visiting the wrong sites. Unfortunately, that's not true of the newly revealed Heartbleed Bug. The flaw, which affects some older versions of common internet encryption software, lets attackers grab both a site's secure content and the encryption keys that protect that content. As such, a successful intruder could both obtain your private information from a given site and impersonate that site until its operators catch on. Since the vulnerable code is both popular and has been in the wild for as long as two years, there's a real possibility that some of your online data is at risk.

Gaping security holes are a pretty terrifying thing, especially when they involve something as sensitive as your Apple ID. Sadly it seems that immediately after making the paranoid happy by instituting two-step authentication a pretty massive flaw in Cupertino's system was discovered and first reported by The Verge. Turns out you can reset any Apple ID password with nothing more than a person's email address and date of birth -- two pieces of information that are pretty easy to come across.

There's a little more to the hack, but it's simple enough that even your non-tech savvy aunt or uncle could do it. After entering the target email address in the password reset form you can then select to answer security questions to validate your identity. The first task will be to enter a date of birth. If you enter that correctly then paste a particular URL into the address bar (which we will not be publishing for obvious reasons), press enter, then -- voilà -- instant password reset! Or, at least that's the story. While we were attempting to verify these claims Apple took down the password reset page for "maintenance." Though we've received no official confirmation from Apple, it seems the company is moving swiftly to shut down this particularly troublesome workaround before word of it spreads too far.

Update: We've heard back from Apple on the matter, which stated, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix." No real surprises that a fix is in the works, but there you have it from the horse's mouth.

Update 2: The forgotten password page is back as of late Friday evening -- that was (relatively) quick. iMore reports (and we've verified ourselves) that the security hole is now closed.

The emergency contacts (ICE) menu is proving to be a Pandora's Box of lock screen vulnerabilities on several Samsung Galaxy handsets. Users are finding ways to exploit this weak point and the latest flaw that's come to our attention employs the pop-up browser on the Note II as an accomplice. It requires the information ticker to be active (found in lock screen settings) so news bites and such are displayed on the screen you encounter when waking the device. Touch upon something to find out more and you're sent to the lock screen; from there, head to the ICE menu to find a pop-up browser window containing the item you chose in the ticker. Within that window, anyone can access the handset's clipboard or point the browser to sites holding personal data. Sure, it isn't as bad as the bug that completely disables the lock screen -- identified on the Galaxy S III, but also found to work on the Note II -- but is just another reason to hope the mythical box is almost empty and at the bottom lies a fix.

Lock screens are around for a reason: to keep people from getting where they shouldn't. They aren't always infallible, though, and a few weeks ago, we saw a vulnerability in several builds of iOS 6 that granted access to the phone module without a passcode. Then, a couple of days ago, we reported on a Galaxy Note II bug that allows the quick-fingered to launch anything immediately behind the lock screen. Now, a similar flaw has been found on the Galaxy S III that breaks the lock screen altogether, permitting full use of the phone. To replicate the bug, you'll need to tap the "Emergency Call" button on the lock screen, then go into the ICE (emergency contacts) menu. From there, press the home button, followed quickly by the power button, and that's it. If successful, pressing the power button again will bring up the home screen straight away, and what's more, the lock screen won't return until the handset is restarted. Sounds worryingly simple, right? In our experience, not so much.

We first tried this method on an S III running Android 4.0.4 ICS, and a Note II for good measure, but to no avail. Then, we had a crack at an S III running 4.1.2 Jelly Bean, and were close to giving up trying to replicate it when voilà, it worked. We hoped to provide you with a video of the bug, but it must be camera shy. Despite literally hundreds of attempts in front of the lens and several more behind it, we've only managed it once -- we found it impossible to nail down the correct timing between the home and power button pushes. Samsung's likely aware of the bug already and when quizzed about the Note II vulnerability, said a fix for lock screen issues on affected "Galaxy devices" was in the works (read: they didn't say the Note II specifically). We've reached out for comment just to be sure, but until a patch is provided, keep your phone concealed from nosey types who read tech sites and have saint-like patience.

Update: Samsung has responded, confirming a fix is indeed on its way:

"Samsung considers user privacy and the security of user data its top priority. We are aware of this issue and will release a fix at the earliest possibility."

It seems that every time Apple introduces a new version of iOS, it creates some new method to get past the software's lock screen. A YouTube tutorial reveals the rather simple combination of button presses and fake emergency calls necessary to give you access to anyone's iDevice -- or more specifically to the iOS phone module, from where you can make calls, view and edit contacts, send email and perform any other linked function. You'll have to be quick-fingered, however, as you have to push the home button rapidly after getting into the iPhone's contact list. You can learn how to do it after the break, but until Cupertino issues an update, we'd suggest keeping your beloved fondlephone close by.

Many of us already complain that web ads follow us too closely. You can understand why Internet Explorer users might be nervous, then, when Spider.io claims that the ads are even tracking their mouse movements. A JavaScript hole in Internet Explorer 6 through 10 reportedly lets intruders follow along with the onscreen pointer, regardless of whether or not the browser is the active app. That could easily prove a security risk for anyone using a virtual keyboard, including some tablet owners. Microsoft has confirmed that it's investigating and plans to "adjust this behavior," although it takes issue with Spider.io both focusing on IE and decrying two ad analytics firms that are supposedly exploiting the flaw today. The Redmond team argues that other browsers have "similar capabilities" and that Spider.io has ulterior motives, being an ad analytics firm itself -- it allegedly wants to knock down two competitors that it doesn't think are playing fair. We've asked Spider.io for its reaction and will get back if we're told more. In the meantime, don't be too alarmed when the vulnerability would likely only work with detailed knowledge of the target PC.

When Sony's designers put a port flap on the Xperia Tablet S in an effort to make it splash-proof, they surely didn't count on their good intentions being undermined by leaky build quality in other areas. According to Reuters though, that's exactly what has happened: a number of tablets have come off the production line with gaps between the screen and the chassis, and it must be a significant proportion because Sony has now decided to halt sales until it can get the problem fixed. The company is also promising to repair any of the 100,000 tablets that have already shipped, but doesn't expect the issue to be serious enough to dampen its earnings (which, let's face it, could already do with some time out in the sun).

If you're a frequent texter, and the iPhone is your weapon of choice, there's a good chance you've been a wee bit concerned since yesterday's report that the device is vulnerable to a certain SMS spoofing attack. Basically, it's possible for a malicious individual to send a message and specify a reply-to number that is not their own, appearing as if they are someone else. We got in touch with an Apple representative and here's what we were told:

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.

Even if you aren't on an iPhone, we'd like to remind you to be careful when texting. There are numerous services out there that let you send a message that appears to be from anybody you like -- regardless of what model, OS or even carrier the recipient is using. All the more reason to think twice before filing that loan application over SMS.

If you're an iPhone owner, you may want to use good judgment before responding to any out-of-the-blue text messages in the near future. French jailbreak developer and security researcher pod2g finds that every iPhone firmware revision, even iOS 6 beta 4, is susceptible to a flaw that theoretically lets a ne'er-do-well spoof the reply address of outbound SMS messages. As Apple is using the reply-to address of a message's User Data Header to identify the origin rather than the raw source, receiving iPhone owners risk being fooled by a phishing attack (or just a dishonest acquaintance) that poses as a contact or a company. A proof of concept messaging tool is coming to the iPhone soon, but pod2g is pushing for an official solution before the next iOS version is out the door. We've asked Apple for commentary and will get back if there's an update. In the meantime, we wouldn't panic -- if the trickery hasn't been a significant issue since 2007, there isn't likely to be a sudden outbreak today.

Soon after the Star Trek: The Next Generation Season One Blu-ray set launched last week reports came in that there was an audio problem with the surround sound, and now CBS and Paramount have responded. According to a statement (included after the break) the problem is isolated to the English 7.1 DTS Master Audio track on some episodes where the front channels are mapped incorrectly. If you own the set, you can email (phe.stng@bydeluxe.com) or call (877-335-8936 between 8AM and 6PM PT) for replacements of Discs 1, 3 and 4, simply have your set nearby and ready to read the code located on the inner ring. You won't need to send in your discs, and the replacements are expected to ship after August 10th and take up to five days to arrive.

]]>
Wed, 01 Aug 2012 14:38:00 -040021|20290696http://www.engadget.com/2012/03/01/android-and-ios-expose-your-photos-to-third-party-apps-promise/%3Futm_medium%3Dfeed%26utm_source%3DFeed_Classic%26utm_campaign%3DEngadget%26ncid%3Drss_semi
http://www.engadget.com/2012/03/01/android-and-ios-expose-your-photos-to-third-party-apps-promise/http://www.engadget.com/2012/03/01/android-and-ios-expose-your-photos-to-third-party-apps-promise/%3Futm_source%3DFeed_Classic%26utm_medium%3Dfeed%26utm_campaign%3DEngadget%23comments2012 is still young, yet it's already shaping up to be a bad year for privacy and security on the mobile front. Apple found itself embroiled in a bit of a brouhaha over the iPhone address book and an app called Path. And, of course, Google was put under the microscope when mobile Safari was found to have a security flaw that its mobile ads were exploiting. Then, earlier this week, it was discovered that granting iOS apps access to your location could also expose your photos. Now it's been discovered that Android also exposes your images, though, it's doing so without asking for any permissions at all. While Apple was masking photo access with other permissions, Google is simply leaving your pics vulnerable as a part of a design quirk that came from the OS's reliance on microSD cards. Both companies have acknowledged the flaws and have said they're currently working on fixes. We're just hoping things start to quiet down soon, though -- our mobile operating systems are running out of personal data to expose. Check out the source links for more details.

]]>
Thu, 01 Mar 2012 17:54:00 -050021|20184094http://www.engadget.com/2012/02/23/samsung-may-cough-up-millions-over-kaput-tvs/%3Futm_medium%3Dfeed%26utm_source%3DFeed_Classic%26utm_campaign%3DEngadget%26ncid%3Drss_semi
http://www.engadget.com/2012/02/23/samsung-may-cough-up-millions-over-kaput-tvs/http://www.engadget.com/2012/02/23/samsung-may-cough-up-millions-over-kaput-tvs/%3Futm_source%3DFeed_Classic%26utm_medium%3Dfeed%26utm_campaign%3DEngadget%23commentsA class action lawsuit filed by owners of faulty Sammy TVs has finally reached a settlement. The manufacturer has promised to foot the bill for new repairs, reimburse for previous repairs and hand out up to $300 to customers who no longer possess their broken TVs but can prove they once did. The fault can affects any of the models listed above -- possibly up to seven million sets in total -- and centers on an errant capacitor in the power circuit that stops the TV turning on, makes it slow to turn on, produces a "clicking sound" or makes it cycle on and off. If you think you're affected then check the source link for details on what to do next. Curious to know how much the lawyers got? A cool half-million for their troubles, which means they'll be upgrading to OLED.

Update: A Samsung spokesperson offered up the following response,

Approximately 1 percent of Samsung televisions sold in the U.S. from 2006 to 2008 have experienced some performance issues caused by a component called a capacitor. Since originally confirming this issue in early 2010, Samsung has voluntarily provided free repairs for U.S. customers with affected televisions. Recently, a nationwide class settlement covering all affected televisions in the U.S. was reached in Russell, et al. v. Samsung Electronics America, Inc., a lawsuit filed in the District Court of Oklahoma County in the U.S.

]]>
Thu, 23 Feb 2012 06:28:00 -050021|20177848http://www.engadget.com/2012/02/15/google-wallet-gets-prepaid-security-fix/%3Futm_medium%3Dfeed%26utm_source%3DFeed_Classic%26utm_campaign%3DEngadget%26ncid%3Drss_semi
http://www.engadget.com/2012/02/15/google-wallet-gets-prepaid-security-fix/http://www.engadget.com/2012/02/15/google-wallet-gets-prepaid-security-fix/%3Futm_source%3DFeed_Classic%26utm_medium%3Dfeed%26utm_campaign%3DEngadget%23commentsGoogle says it's fixed a Wallet security flaw that potentially allowed a phone thief to spend a user's prepaid balance. The ability to provision new prepaid cards had been suspended pending the update, but has now been restored. Things aren't quite back to normal in the Big G's world of mobile money, however. Users still find themselves caught between two competing arguments over an entirely different vulnerability, which involves a 'brute-force' attack on rooted devices. Google insists that this isn't a major concern, so long as Wallet users refrain from rooting, and that the system still "offers advantages over the plastic cards and folded wallets in use today." On the other hand, the company that discovered this issue -- zvelo -- has come back at Google with an equally blunt response. It acknowledges that a handset must be rooted to be vulnerable, but crucially its researchers also say that a device doesn't have to be rooted before it's stolen. In other words, they allege that a savvy thief can potentially steal a phone and then root it themselves, and they won't be happy with Wallet until it requires longer PIN number. Whichever argument sways you, it's worth bearing in mind that there's no evidence that anyone has yet managed to exploit these weaknesses for criminal purposes.